Getting Cancan's load_and_authorize_resource working within a custom create action

Question

Trying to set up Cancan within an app of mine and having trouble with my PostsController.

In a nutshell, when a Post is created I'd like it associated with the current_user so my create action looks something like this:

class PostsController < ApplicationController
  before_filter :login_required, :except => [:index, :show]
  load_and_authorize_resource
  ...
  def create
    # @post = Post.new(params[:post])   # <-- covered by load_and_authorize_resource
    @user = current_user
    @post = @user.posts.create(params[:post])
    respond_to do |format|
    ...
  end
  ...
end

I'm not exactly sure what load_and_authorize_resource is intended to do (other than the obvious). But what about in a situation like this? Do I need to override the load_and_authorize_resource for the create action somehow? or is there another (read: better) way to go about loading the @user and THEN creating the @post?

Answer 1

I think the best solution, since this is a unique problem, for you to alter load_and_authorize_resource line to this:

load_and_authorize_resource :except => [:create]

And the action to this:

def create
  authorize! :create, Post
  current_user.posts.create(params[:post])
end

Answer 2

A simpler solution to your problem would be to use a nested-resource, rather than creating a custom action

Directly taken from the CanCan Wiki:

Nested-Resources

As of 1.4, it's also possible to nest through a method, this is commonly the current_user method.

 class ProjectsController < ApplicationController
   load_and_authorize_resource :through => :current_user
 end 

Here everything will be loaded through the current_user.projects association.

This should be safer as well, as loading of a post will be done through the association for other actions in your controller